search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
builtin/receive-pack: use constant-time comparison for HMAC value
[git.git] / builtin / receive-pack.c
blob45e2dd2a65a76f0a4e423de0100b52105181705e
1 #include "builtin.h"
2 #include "repository.h"
3 #include "config.h"
4 #include "lockfile.h"
5 #include "pack.h"
6 #include "refs.h"
7 #include "pkt-line.h"
8 #include "sideband.h"
9 #include "run-command.h"
10 #include "exec-cmd.h"
11 #include "commit.h"
12 #include "object.h"
13 #include "remote.h"
14 #include "connect.h"
15 #include "string-list.h"
16 #include "sha1-array.h"
17 #include "connected.h"
18 #include "argv-array.h"
19 #include "version.h"
20 #include "tag.h"
21 #include "gpg-interface.h"
22 #include "sigchain.h"
23 #include "fsck.h"
24 #include "tmp-objdir.h"
25 #include "oidset.h"
26 #include "packfile.h"
27 #include "object-store.h"
28 #include "protocol.h"
29 #include "commit-reach.h"
30
31 static const char * const receive_pack_usage[] = {
32 N_("git receive-pack <git-dir>"),
33 NULL
34 };
35
36 enum deny_action {
37 DENY_UNCONFIGURED,
38 DENY_IGNORE,
39 DENY_WARN,
40 DENY_REFUSE,
41 DENY_UPDATE_INSTEAD
42 };
43
44 static int deny_deletes;
45 static int deny_non_fast_forwards;
46 static enum deny_action deny_current_branch = DENY_UNCONFIGURED;
47 static enum deny_action deny_delete_current = DENY_UNCONFIGURED;
48 static int receive_fsck_objects = -1;
49 static int transfer_fsck_objects = -1;
50 static struct strbuf fsck_msg_types = STRBUF_INIT;
51 static int receive_unpack_limit = -1;
52 static int transfer_unpack_limit = -1;
53 static int advertise_atomic_push = 1;
54 static int advertise_push_options;
55 static int unpack_limit = 100;
56 static off_t max_input_size;
57 static int report_status;
58 static int use_sideband;
59 static int use_atomic;
60 static int use_push_options;
61 static int quiet;
62 static int prefer_ofs_delta = 1;
63 static int auto_update_server_info;
64 static int auto_gc = 1;
65 static int reject_thin;
66 static int stateless_rpc;
67 static const char *service_dir;
68 static const char *head_name;
69 static void *head_name_to_free;
70 static int sent_capabilities;
71 static int shallow_update;
72 static const char *alt_shallow_file;
73 static struct strbuf push_cert = STRBUF_INIT;
74 static struct object_id push_cert_oid;
75 static struct signature_check sigcheck;
76 static const char *push_cert_nonce;
77 static const char *cert_nonce_seed;
78
79 static const char *NONCE_UNSOLICITED = "UNSOLICITED";
80 static const char *NONCE_BAD = "BAD";
81 static const char *NONCE_MISSING = "MISSING";
82 static const char *NONCE_OK = "OK";
83 static const char *NONCE_SLOP = "SLOP";
84 static const char *nonce_status;
85 static long nonce_stamp_slop;
86 static timestamp_t nonce_stamp_slop_limit;
87 static struct ref_transaction *transaction;
88
89 static enum {
90 KEEPALIVE_NEVER = 0,
91 KEEPALIVE_AFTER_NUL,
92 KEEPALIVE_ALWAYS
93 } use_keepalive;
94 static int keepalive_in_sec = 5;
95
96 static struct tmp_objdir *tmp_objdir;
97
98 static enum deny_action parse_deny_action(const char *var, const char *value)
99 {
100 if (value) {
101 if (!strcasecmp(value, "ignore"))
102 return DENY_IGNORE;
103 if (!strcasecmp(value, "warn"))
104 return DENY_WARN;
105 if (!strcasecmp(value, "refuse"))
106 return DENY_REFUSE;
107 if (!strcasecmp(value, "updateinstead"))
108 return DENY_UPDATE_INSTEAD;
109 }
110 if (git_config_bool(var, value))
111 return DENY_REFUSE;
112 return DENY_IGNORE;
113 }
114
115 static int receive_pack_config(const char *var, const char *value, void *cb)
116 {
117 int status = parse_hide_refs_config(var, value, "receive");
118
119 if (status)
120 return status;
121
122 if (strcmp(var, "receive.denydeletes") == 0) {
123 deny_deletes = git_config_bool(var, value);
124 return 0;
125 }
126
127 if (strcmp(var, "receive.denynonfastforwards") == 0) {
128 deny_non_fast_forwards = git_config_bool(var, value);
129 return 0;
130 }
131
132 if (strcmp(var, "receive.unpacklimit") == 0) {
133 receive_unpack_limit = git_config_int(var, value);
134 return 0;
135 }
136
137 if (strcmp(var, "transfer.unpacklimit") == 0) {
138 transfer_unpack_limit = git_config_int(var, value);
139 return 0;
140 }
141
142 if (strcmp(var, "receive.fsck.skiplist") == 0) {
143 const char *path;
144
145 if (git_config_pathname(&path, var, value))
146 return 1;
147 strbuf_addf(&fsck_msg_types, "%cskiplist=%s",
148 fsck_msg_types.len ? ',' : '=', path);
149 free((char *)path);
150 return 0;
151 }
152
153 if (skip_prefix(var, "receive.fsck.", &var)) {
154 if (is_valid_msg_type(var, value))
155 strbuf_addf(&fsck_msg_types, "%c%s=%s",
156 fsck_msg_types.len ? ',' : '=', var, value);
157 else
158 warning("Skipping unknown msg id '%s'", var);
159 return 0;
160 }
161
162 if (strcmp(var, "receive.fsckobjects") == 0) {
163 receive_fsck_objects = git_config_bool(var, value);
164 return 0;
165 }
166
167 if (strcmp(var, "transfer.fsckobjects") == 0) {
168 transfer_fsck_objects = git_config_bool(var, value);
169 return 0;
170 }
171
172 if (!strcmp(var, "receive.denycurrentbranch")) {
173 deny_current_branch = parse_deny_action(var, value);
174 return 0;
175 }
176
177 if (strcmp(var, "receive.denydeletecurrent") == 0) {
178 deny_delete_current = parse_deny_action(var, value);
179 return 0;
180 }
181
182 if (strcmp(var, "repack.usedeltabaseoffset") == 0) {
183 prefer_ofs_delta = git_config_bool(var, value);
184 return 0;
185 }
186
187 if (strcmp(var, "receive.updateserverinfo") == 0) {
188 auto_update_server_info = git_config_bool(var, value);
189 return 0;
190 }
191
192 if (strcmp(var, "receive.autogc") == 0) {
193 auto_gc = git_config_bool(var, value);
194 return 0;
195 }
196
197 if (strcmp(var, "receive.shallowupdate") == 0) {
198 shallow_update = git_config_bool(var, value);
199 return 0;
200 }
201
202 if (strcmp(var, "receive.certnonceseed") == 0)
203 return git_config_string(&cert_nonce_seed, var, value);
204
205 if (strcmp(var, "receive.certnonceslop") == 0) {
206 nonce_stamp_slop_limit = git_config_ulong(var, value);
207 return 0;
208 }
209
210 if (strcmp(var, "receive.advertiseatomic") == 0) {
211 advertise_atomic_push = git_config_bool(var, value);
212 return 0;
213 }
214
215 if (strcmp(var, "receive.advertisepushoptions") == 0) {
216 advertise_push_options = git_config_bool(var, value);
217 return 0;
218 }
219
220 if (strcmp(var, "receive.keepalive") == 0) {
221 keepalive_in_sec = git_config_int(var, value);
222 return 0;
223 }
224
225 if (strcmp(var, "receive.maxinputsize") == 0) {
226 max_input_size = git_config_int64(var, value);
227 return 0;
228 }
229
230 return git_default_config(var, value, cb);
231 }
232
233 static void show_ref(const char *path, const struct object_id *oid)
234 {
235 if (sent_capabilities) {
236 packet_write_fmt(1, "%s %s\n", oid_to_hex(oid), path);
237 } else {
238 struct strbuf cap = STRBUF_INIT;
239
240 strbuf_addstr(&cap,
241 "report-status delete-refs side-band-64k quiet");
242 if (advertise_atomic_push)
243 strbuf_addstr(&cap, " atomic");
244 if (prefer_ofs_delta)
245 strbuf_addstr(&cap, " ofs-delta");
246 if (push_cert_nonce)
247 strbuf_addf(&cap, " push-cert=%s", push_cert_nonce);
248 if (advertise_push_options)
249 strbuf_addstr(&cap, " push-options");
250 strbuf_addf(&cap, " agent=%s", git_user_agent_sanitized());
251 packet_write_fmt(1, "%s %s%c%s\n",
252 oid_to_hex(oid), path, 0, cap.buf);
253 strbuf_release(&cap);
254 sent_capabilities = 1;
255 }
256 }
257
258 static int show_ref_cb(const char *path_full, const struct object_id *oid,
259 int flag, void *data)
260 {
261 struct oidset *seen = data;
262 const char *path = strip_namespace(path_full);
263
264 if (ref_is_hidden(path, path_full))
265 return 0;
266
267 /*
268 * Advertise refs outside our current namespace as ".have"
269 * refs, so that the client can use them to minimize data
270 * transfer but will otherwise ignore them.
271 */
272 if (!path) {
273 if (oidset_insert(seen, oid))
274 return 0;
275 path = ".have";
276 } else {
277 oidset_insert(seen, oid);
278 }
279 show_ref(path, oid);
280 return 0;
281 }
282
283 static void show_one_alternate_ref(const struct object_id *oid,
284 void *data)
285 {
286 struct oidset *seen = data;
287
288 if (oidset_insert(seen, oid))
289 return;
290
291 show_ref(".have", oid);
292 }
293
294 static void write_head_info(void)
295 {
296 static struct oidset seen = OIDSET_INIT;
297
298 for_each_ref(show_ref_cb, &seen);
299 for_each_alternate_ref(show_one_alternate_ref, &seen);
300 oidset_clear(&seen);
301 if (!sent_capabilities)
302 show_ref("capabilities^{}", &null_oid);
303
304 advertise_shallow_grafts(1);
305
306 /* EOF */
307 packet_flush(1);
308 }
309
310 struct command {
311 struct command *next;
312 const char *error_string;
313 unsigned int skip_update:1,
314 did_not_exist:1;
315 int index;
316 struct object_id old_oid;
317 struct object_id new_oid;
318 char ref_name[FLEX_ARRAY]; /* more */
319 };
320
321 static void rp_error(const char *err, ...) __attribute__((format (printf, 1, 2)));
322 static void rp_warning(const char *err, ...) __attribute__((format (printf, 1, 2)));
323
324 static void report_message(const char *prefix, const char *err, va_list params)
325 {
326 int sz;
327 char msg[4096];
328
329 sz = xsnprintf(msg, sizeof(msg), "%s", prefix);
330 sz += vsnprintf(msg + sz, sizeof(msg) - sz, err, params);
331 if (sz > (sizeof(msg) - 1))
332 sz = sizeof(msg) - 1;
333 msg[sz++] = '\n';
334
335 if (use_sideband)
336 send_sideband(1, 2, msg, sz, use_sideband);
337 else
338 xwrite(2, msg, sz);
339 }
340
341 static void rp_warning(const char *err, ...)
342 {
343 va_list params;
344 va_start(params, err);
345 report_message("warning: ", err, params);
346 va_end(params);
347 }
348
349 static void rp_error(const char *err, ...)
350 {
351 va_list params;
352 va_start(params, err);
353 report_message("error: ", err, params);
354 va_end(params);
355 }
356
357 static int copy_to_sideband(int in, int out, void *arg)
358 {
359 char data[128];
360 int keepalive_active = 0;
361
362 if (keepalive_in_sec <= 0)
363 use_keepalive = KEEPALIVE_NEVER;
364 if (use_keepalive == KEEPALIVE_ALWAYS)
365 keepalive_active = 1;
366
367 while (1) {
368 ssize_t sz;
369
370 if (keepalive_active) {
371 struct pollfd pfd;
372 int ret;
373
374 pfd.fd = in;
375 pfd.events = POLLIN;
376 ret = poll(&pfd, 1, 1000 * keepalive_in_sec);
377
378 if (ret < 0) {
379 if (errno == EINTR)
380 continue;
381 else
382 break;
383 } else if (ret == 0) {
384 /* no data; send a keepalive packet */
385 static const char buf[] = "0005\1";
386 write_or_die(1, buf, sizeof(buf) - 1);
387 continue;
388 } /* else there is actual data to read */
389 }
390
391 sz = xread(in, data, sizeof(data));
392 if (sz <= 0)
393 break;
394
395 if (use_keepalive == KEEPALIVE_AFTER_NUL && !keepalive_active) {
396 const char *p = memchr(data, '\0', sz);
397 if (p) {
398 /*
399 * The NUL tells us to start sending keepalives. Make
400 * sure we send any other data we read along
401 * with it.
402 */
403 keepalive_active = 1;
404 send_sideband(1, 2, data, p - data, use_sideband);
405 send_sideband(1, 2, p + 1, sz - (p - data + 1), use_sideband);
406 continue;
407 }
408 }
409
410 /*
411 * Either we're not looking for a NUL signal, or we didn't see
412 * it yet; just pass along the data.
413 */
414 send_sideband(1, 2, data, sz, use_sideband);
415 }
416 close(in);
417 return 0;
418 }
419
420 static void hmac(unsigned char *out,
421 const char *key_in, size_t key_len,
422 const char *text, size_t text_len)
423 {
424 unsigned char key[GIT_MAX_BLKSZ];
425 unsigned char k_ipad[GIT_MAX_BLKSZ];
426 unsigned char k_opad[GIT_MAX_BLKSZ];
427 int i;
428 git_hash_ctx ctx;
429
430 /* RFC 2104 2. (1) */
431 memset(key, '\0', GIT_MAX_BLKSZ);
432 if (the_hash_algo->blksz < key_len) {
433 the_hash_algo->init_fn(&ctx);
434 the_hash_algo->update_fn(&ctx, key_in, key_len);
435 the_hash_algo->final_fn(key, &ctx);
436 } else {
437 memcpy(key, key_in, key_len);
438 }
439
440 /* RFC 2104 2. (2) & (5) */
441 for (i = 0; i < sizeof(key); i++) {
442 k_ipad[i] = key[i] ^ 0x36;
443 k_opad[i] = key[i] ^ 0x5c;
444 }
445
446 /* RFC 2104 2. (3) & (4) */
447 the_hash_algo->init_fn(&ctx);
448 the_hash_algo->update_fn(&ctx, k_ipad, sizeof(k_ipad));
449 the_hash_algo->update_fn(&ctx, text, text_len);
450 the_hash_algo->final_fn(out, &ctx);
451
452 /* RFC 2104 2. (6) & (7) */
453 the_hash_algo->init_fn(&ctx);
454 the_hash_algo->update_fn(&ctx, k_opad, sizeof(k_opad));
455 the_hash_algo->update_fn(&ctx, out, the_hash_algo->rawsz);
456 the_hash_algo->final_fn(out, &ctx);
457 }
458
459 static char *prepare_push_cert_nonce(const char *path, timestamp_t stamp)
460 {
461 struct strbuf buf = STRBUF_INIT;
462 unsigned char hash[GIT_MAX_RAWSZ];
463
464 strbuf_addf(&buf, "%s:%"PRItime, path, stamp);
465 hmac(hash, buf.buf, buf.len, cert_nonce_seed, strlen(cert_nonce_seed));
466 strbuf_release(&buf);
467
468 /* RFC 2104 5. HMAC-SHA1-80 */
469 strbuf_addf(&buf, "%"PRItime"-%.*s", stamp, (int)the_hash_algo->hexsz, hash_to_hex(hash));
470 return strbuf_detach(&buf, NULL);
471 }
472
473 /*
474 * NEEDSWORK: reuse find_commit_header() from jk/commit-author-parsing
475 * after dropping "_commit" from its name and possibly moving it out
476 * of commit.c
477 */
478 static char *find_header(const char *msg, size_t len, const char *key,
479 const char **next_line)
480 {
481 int key_len = strlen(key);
482 const char *line = msg;
483
484 while (line && line < msg + len) {
485 const char *eol = strchrnul(line, '\n');
486
487 if ((msg + len <= eol) || line == eol)
488 return NULL;
489 if (line + key_len < eol &&
490 !memcmp(line, key, key_len) && line[key_len] == ' ') {
491 int offset = key_len + 1;
492 if (next_line)
493 *next_line = *eol ? eol + 1 : eol;
494 return xmemdupz(line + offset, (eol - line) - offset);
495 }
496 line = *eol ? eol + 1 : NULL;
497 }
498 return NULL;
499 }
500
501 /*
502 * Return zero if a and b are equal up to n bytes and nonzero if they are not.
503 * This operation is guaranteed to run in constant time to avoid leaking data.
504 */
505 static int constant_memequal(const char *a, const char *b, size_t n)
506 {
507 int res = 0;
508 for (size_t i = 0; i < n; i++)
509 res |= a[i] ^ b[i];
510 return res;
511 }
512
513 static const char *check_nonce(const char *buf, size_t len)
514 {
515 char *nonce = find_header(buf, len, "nonce", NULL);
516 timestamp_t stamp, ostamp;
517 char *bohmac, *expect = NULL;
518 const char *retval = NONCE_BAD;
519 size_t noncelen;
520
521 if (!nonce) {
522 retval = NONCE_MISSING;
523 goto leave;
524 } else if (!push_cert_nonce) {
525 retval = NONCE_UNSOLICITED;
526 goto leave;
527 } else if (!strcmp(push_cert_nonce, nonce)) {
528 retval = NONCE_OK;
529 goto leave;
530 }
531
532 if (!stateless_rpc) {
533 /* returned nonce MUST match what we gave out earlier */
534 retval = NONCE_BAD;
535 goto leave;
536 }
537
538 /*
539 * In stateless mode, we may be receiving a nonce issued by
540 * another instance of the server that serving the same
541 * repository, and the timestamps may not match, but the
542 * nonce-seed and dir should match, so we can recompute and
543 * report the time slop.
544 *
545 * In addition, when a nonce issued by another instance has
546 * timestamp within receive.certnonceslop seconds, we pretend
547 * as if we issued that nonce when reporting to the hook.
548 */
549
550 /* nonce is concat(<seconds-since-epoch>, "-", <hmac>) */
551 if (*nonce <= '0' || '9' < *nonce) {
552 retval = NONCE_BAD;
553 goto leave;
554 }
555 stamp = parse_timestamp(nonce, &bohmac, 10);
556 if (bohmac == nonce || bohmac[0] != '-') {
557 retval = NONCE_BAD;
558 goto leave;
559 }
560
561 noncelen = strlen(nonce);
562 expect = prepare_push_cert_nonce(service_dir, stamp);
563 if (noncelen != strlen(expect)) {
564 /* This is not even the right size. */
565 retval = NONCE_BAD;
566 goto leave;
567 }
568 if (constant_memequal(expect, nonce, noncelen)) {
569 /* Not what we would have signed earlier */
570 retval = NONCE_BAD;
571 goto leave;
572 }
573
574 /*
575 * By how many seconds is this nonce stale? Negative value
576 * would mean it was issued by another server with its clock
577 * skewed in the future.
578 */
579 ostamp = parse_timestamp(push_cert_nonce, NULL, 10);
580 nonce_stamp_slop = (long)ostamp - (long)stamp;
581
582 if (nonce_stamp_slop_limit &&
583 labs(nonce_stamp_slop) <= nonce_stamp_slop_limit) {
584 /*
585 * Pretend as if the received nonce (which passes the
586 * HMAC check, so it is not a forged by third-party)
587 * is what we issued.
588 */
589 free((void *)push_cert_nonce);
590 push_cert_nonce = xstrdup(nonce);
591 retval = NONCE_OK;
592 } else {
593 retval = NONCE_SLOP;
594 }
595
596 leave:
597 free(nonce);
598 free(expect);
599 return retval;
600 }
601
602 /*
603 * Return 1 if there is no push_cert or if the push options in push_cert are
604 * the same as those in the argument; 0 otherwise.
605 */
606 static int check_cert_push_options(const struct string_list *push_options)
607 {
608 const char *buf = push_cert.buf;
609 int len = push_cert.len;
610
611 char *option;
612 const char *next_line;
613 int options_seen = 0;
614
615 int retval = 1;
616
617 if (!len)
618 return 1;
619
620 while ((option = find_header(buf, len, "push-option", &next_line))) {
621 len -= (next_line - buf);
622 buf = next_line;
623 options_seen++;
624 if (options_seen > push_options->nr
625 || strcmp(option,
626 push_options->items[options_seen - 1].string)) {
627 retval = 0;
628 goto leave;
629 }
630 free(option);
631 }
632
633 if (options_seen != push_options->nr)
634 retval = 0;
635
636 leave:
637 free(option);
638 return retval;
639 }
640
641 static void prepare_push_cert_sha1(struct child_process *proc)
642 {
643 static int already_done;
644
645 if (!push_cert.len)
646 return;
647
648 if (!already_done) {
649 int bogs /* beginning_of_gpg_sig */;
650
651 already_done = 1;
652 if (write_object_file(push_cert.buf, push_cert.len, "blob",
653 &push_cert_oid))
654 oidclr(&push_cert_oid);
655
656 memset(&sigcheck, '\0', sizeof(sigcheck));
657
658 bogs = parse_signature(push_cert.buf, push_cert.len);
659 check_signature(push_cert.buf, bogs, push_cert.buf + bogs,
660 push_cert.len - bogs, &sigcheck);
661
662 nonce_status = check_nonce(push_cert.buf, bogs);
663 }
664 if (!is_null_oid(&push_cert_oid)) {
665 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT=%s",
666 oid_to_hex(&push_cert_oid));
667 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_SIGNER=%s",
668 sigcheck.signer ? sigcheck.signer : "");
669 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_KEY=%s",
670 sigcheck.key ? sigcheck.key : "");
671 argv_array_pushf(&proc->env_array, "GIT_PUSH_CERT_STATUS=%c",
672 sigcheck.result);
673 if (push_cert_nonce) {
674 argv_array_pushf(&proc->env_array,
675 "GIT_PUSH_CERT_NONCE=%s",
676 push_cert_nonce);
677 argv_array_pushf(&proc->env_array,
678 "GIT_PUSH_CERT_NONCE_STATUS=%s",
679 nonce_status);
680 if (nonce_status == NONCE_SLOP)
681 argv_array_pushf(&proc->env_array,
682 "GIT_PUSH_CERT_NONCE_SLOP=%ld",
683 nonce_stamp_slop);
684 }
685 }
686 }
687
688 struct receive_hook_feed_state {
689 struct command *cmd;
690 int skip_broken;
691 struct strbuf buf;
692 const struct string_list *push_options;
693 };
694
695 typedef int (*feed_fn)(void *, const char **, size_t *);
696 static int run_and_feed_hook(const char *hook_name, feed_fn feed,
697 struct receive_hook_feed_state *feed_state)
698 {
699 struct child_process proc = CHILD_PROCESS_INIT;
700 struct async muxer;
701 const char *argv[2];
702 int code;
703
704 argv[0] = find_hook(hook_name);
705 if (!argv[0])
706 return 0;
707
708 argv[1] = NULL;
709
710 proc.argv = argv;
711 proc.in = -1;
712 proc.stdout_to_stderr = 1;
713 proc.trace2_hook_name = hook_name;
714
715 if (feed_state->push_options) {
716 int i;
717 for (i = 0; i < feed_state->push_options->nr; i++)
718 argv_array_pushf(&proc.env_array,
719 "GIT_PUSH_OPTION_%d=%s", i,
720 feed_state->push_options->items[i].string);
721 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT=%d",
722 feed_state->push_options->nr);
723 } else
724 argv_array_pushf(&proc.env_array, "GIT_PUSH_OPTION_COUNT");
725
726 if (tmp_objdir)
727 argv_array_pushv(&proc.env_array, tmp_objdir_env(tmp_objdir));
728
729 if (use_sideband) {
730 memset(&muxer, 0, sizeof(muxer));
731 muxer.proc = copy_to_sideband;
732 muxer.in = -1;
733 code = start_async(&muxer);
734 if (code)
735 return code;
736 proc.err = muxer.in;
737 }
738
739 prepare_push_cert_sha1(&proc);
740
741 code = start_command(&proc);
742 if (code) {
743 if (use_sideband)
744 finish_async(&muxer);
745 return code;
746 }
747
748 sigchain_push(SIGPIPE, SIG_IGN);
749
750 while (1) {
751 const char *buf;
752 size_t n;
753 if (feed(feed_state, &buf, &n))
754 break;
755 if (write_in_full(proc.in, buf, n) < 0)
756 break;
757 }
758 close(proc.in);
759 if (use_sideband)
760 finish_async(&muxer);
761
762 sigchain_pop(SIGPIPE);
763
764 return finish_command(&proc);
765 }
766
767 static int feed_receive_hook(void *state_, const char **bufp, size_t *sizep)
768 {
769 struct receive_hook_feed_state *state = state_;
770 struct command *cmd = state->cmd;
771
772 while (cmd &&
773 state->skip_broken && (cmd->error_string || cmd->did_not_exist))
774 cmd = cmd->next;
775 if (!cmd)
776 return -1; /* EOF */
777 strbuf_reset(&state->buf);
778 strbuf_addf(&state->buf, "%s %s %s\n",
779 oid_to_hex(&cmd->old_oid), oid_to_hex(&cmd->new_oid),
780 cmd->ref_name);
781 state->cmd = cmd->next;
782 if (bufp) {
783 *bufp = state->buf.buf;
784 *sizep = state->buf.len;
785 }
786 return 0;
787 }
788
789 static int run_receive_hook(struct command *commands,
790 const char *hook_name,
791 int skip_broken,
792 const struct string_list *push_options)
793 {
794 struct receive_hook_feed_state state;
795 int status;
796
797 strbuf_init(&state.buf, 0);
798 state.cmd = commands;
799 state.skip_broken = skip_broken;
800 if (feed_receive_hook(&state, NULL, NULL))
801 return 0;
802 state.cmd = commands;
803 state.push_options = push_options;
804 status = run_and_feed_hook(hook_name, feed_receive_hook, &state);
805 strbuf_release(&state.buf);
806 return status;
807 }
808
809 static int run_update_hook(struct command *cmd)
810 {
811 const char *argv[5];
812 struct child_process proc = CHILD_PROCESS_INIT;
813 int code;
814
815 argv[0] = find_hook("update");
816 if (!argv[0])
817 return 0;
818
819 argv[1] = cmd->ref_name;
820 argv[2] = oid_to_hex(&cmd->old_oid);
821 argv[3] = oid_to_hex(&cmd->new_oid);
822 argv[4] = NULL;
823
824 proc.no_stdin = 1;
825 proc.stdout_to_stderr = 1;
826 proc.err = use_sideband ? -1 : 0;
827 proc.argv = argv;
828 proc.trace2_hook_name = "update";
829
830 code = start_command(&proc);
831 if (code)
832 return code;
833 if (use_sideband)
834 copy_to_sideband(proc.err, -1, NULL);
835 return finish_command(&proc);
836 }
837
838 static int is_ref_checked_out(const char *ref)
839 {
840 if (is_bare_repository())
841 return 0;
842
843 if (!head_name)
844 return 0;
845 return !strcmp(head_name, ref);
846 }
847
848 static char *refuse_unconfigured_deny_msg =
849 N_("By default, updating the current branch in a non-bare repository\n"
850 "is denied, because it will make the index and work tree inconsistent\n"
851 "with what you pushed, and will require 'git reset --hard' to match\n"
852 "the work tree to HEAD.\n"
853 "\n"
854 "You can set the 'receive.denyCurrentBranch' configuration variable\n"
855 "to 'ignore' or 'warn' in the remote repository to allow pushing into\n"
856 "its current branch; however, this is not recommended unless you\n"
857 "arranged to update its work tree to match what you pushed in some\n"
858 "other way.\n"
859 "\n"
860 "To squelch this message and still keep the default behaviour, set\n"
861 "'receive.denyCurrentBranch' configuration variable to 'refuse'.");
862
863 static void refuse_unconfigured_deny(void)
864 {
865 rp_error("%s", _(refuse_unconfigured_deny_msg));
866 }
867
868 static char *refuse_unconfigured_deny_delete_current_msg =
869 N_("By default, deleting the current branch is denied, because the next\n"
870 "'git clone' won't result in any file checked out, causing confusion.\n"
871 "\n"
872 "You can set 'receive.denyDeleteCurrent' configuration variable to\n"
873 "'warn' or 'ignore' in the remote repository to allow deleting the\n"
874 "current branch, with or without a warning message.\n"
875 "\n"
876 "To squelch this message, you can set it to 'refuse'.");
877
878 static void refuse_unconfigured_deny_delete_current(void)
879 {
880 rp_error("%s", _(refuse_unconfigured_deny_delete_current_msg));
881 }
882
883 static int command_singleton_iterator(void *cb_data, struct object_id *oid);
884 static int update_shallow_ref(struct command *cmd, struct shallow_info *si)
885 {
886 struct lock_file shallow_lock = LOCK_INIT;
887 struct oid_array extra = OID_ARRAY_INIT;
888 struct check_connected_options opt = CHECK_CONNECTED_INIT;
889 uint32_t mask = 1 << (cmd->index % 32);
890 int i;
891
892 trace_printf_key(&trace_shallow,
893 "shallow: update_shallow_ref %s\n", cmd->ref_name);
894 for (i = 0; i < si->shallow->nr; i++)
895 if (si->used_shallow[i] &&
896 (si->used_shallow[i][cmd->index / 32] & mask) &&
897 !delayed_reachability_test(si, i))
898 oid_array_append(&extra, &si->shallow->oid[i]);
899
900 opt.env = tmp_objdir_env(tmp_objdir);
901 setup_alternate_shallow(&shallow_lock, &opt.shallow_file, &extra);
902 if (check_connected(command_singleton_iterator, cmd, &opt)) {
903 rollback_lock_file(&shallow_lock);
904 oid_array_clear(&extra);
905 return -1;
906 }
907
908 commit_lock_file(&shallow_lock);
909
910 /*
911 * Make sure setup_alternate_shallow() for the next ref does
912 * not lose these new roots..
913 */
914 for (i = 0; i < extra.nr; i++)
915 register_shallow(the_repository, &extra.oid[i]);
916
917 si->shallow_ref[cmd->index] = 0;
918 oid_array_clear(&extra);
919 return 0;
920 }
921
922 /*
923 * NEEDSWORK: we should consolidate various implementions of "are we
924 * on an unborn branch?" test into one, and make the unified one more
925 * robust. !get_sha1() based check used here and elsewhere would not
926 * allow us to tell an unborn branch from corrupt ref, for example.
927 * For the purpose of fixing "deploy-to-update does not work when
928 * pushing into an empty repository" issue, this should suffice for
929 * now.
930 */
931 static int head_has_history(void)
932 {
933 struct object_id oid;
934
935 return !get_oid("HEAD", &oid);
936 }
937
938 static const char *push_to_deploy(unsigned char *sha1,
939 struct argv_array *env,
940 const char *work_tree)
941 {
942 const char *update_refresh[] = {
943 "update-index", "-q", "--ignore-submodules", "--refresh", NULL
944 };
945 const char *diff_files[] = {
946 "diff-files", "--quiet", "--ignore-submodules", "--", NULL
947 };
948 const char *diff_index[] = {
949 "diff-index", "--quiet", "--cached", "--ignore-submodules",
950 NULL, "--", NULL
951 };
952 const char *read_tree[] = {
953 "read-tree", "-u", "-m", NULL, NULL
954 };
955 struct child_process child = CHILD_PROCESS_INIT;
956
957 child.argv = update_refresh;
958 child.env = env->argv;
959 child.dir = work_tree;
960 child.no_stdin = 1;
961 child.stdout_to_stderr = 1;
962 child.git_cmd = 1;
963 if (run_command(&child))
964 return "Up-to-date check failed";
965
966 /* run_command() does not clean up completely; reinitialize */
967 child_process_init(&child);
968 child.argv = diff_files;
969 child.env = env->argv;
970 child.dir = work_tree;
971 child.no_stdin = 1;
972 child.stdout_to_stderr = 1;
973 child.git_cmd = 1;
974 if (run_command(&child))
975 return "Working directory has unstaged changes";
976
977 /* diff-index with either HEAD or an empty tree */
978 diff_index[4] = head_has_history() ? "HEAD" : empty_tree_oid_hex();
979
980 child_process_init(&child);
981 child.argv = diff_index;
982 child.env = env->argv;
983 child.no_stdin = 1;
984 child.no_stdout = 1;
985 child.stdout_to_stderr = 0;
986 child.git_cmd = 1;
987 if (run_command(&child))
988 return "Working directory has staged changes";
989
990 read_tree[3] = hash_to_hex(sha1);
991 child_process_init(&child);
992 child.argv = read_tree;
993 child.env = env->argv;
994 child.dir = work_tree;
995 child.no_stdin = 1;
996 child.no_stdout = 1;
997 child.stdout_to_stderr = 0;
998 child.git_cmd = 1;
999 if (run_command(&child))
1000 return "Could not update working tree to new HEAD";
1001
1002 return NULL;
1003 }
1004
1005 static const char *push_to_checkout_hook = "push-to-checkout";
1006
1007 static const char *push_to_checkout(unsigned char *hash,
1008 struct argv_array *env,
1009 const char *work_tree)
1010 {
1011 argv_array_pushf(env, "GIT_WORK_TREE=%s", absolute_path(work_tree));
1012 if (run_hook_le(env->argv, push_to_checkout_hook,
1013 hash_to_hex(hash), NULL))
1014 return "push-to-checkout hook declined";
1015 else
1016 return NULL;
1017 }
1018
1019 static const char *update_worktree(unsigned char *sha1)
1020 {
1021 const char *retval;
1022 const char *work_tree = git_work_tree_cfg ? git_work_tree_cfg : "..";
1023 struct argv_array env = ARGV_ARRAY_INIT;
1024
1025 if (is_bare_repository())
1026 return "denyCurrentBranch = updateInstead needs a worktree";
1027
1028 argv_array_pushf(&env, "GIT_DIR=%s", absolute_path(get_git_dir()));
1029
1030 if (!find_hook(push_to_checkout_hook))
1031 retval = push_to_deploy(sha1, &env, work_tree);
1032 else
1033 retval = push_to_checkout(sha1, &env, work_tree);
1034
1035 argv_array_clear(&env);
1036 return retval;
1037 }
1038
1039 static const char *update(struct command *cmd, struct shallow_info *si)
1040 {
1041 const char *name = cmd->ref_name;
1042 struct strbuf namespaced_name_buf = STRBUF_INIT;
1043 static char *namespaced_name;
1044 const char *ret;
1045 struct object_id *old_oid = &cmd->old_oid;
1046 struct object_id *new_oid = &cmd->new_oid;
1047 int do_update_worktree = 0;
1048
1049 /* only refs/... are allowed */
1050 if (!starts_with(name, "refs/") || check_refname_format(name + 5, 0)) {
1051 rp_error("refusing to create funny ref '%s' remotely", name);
1052 return "funny refname";
1053 }
1054
1055 strbuf_addf(&namespaced_name_buf, "%s%s", get_git_namespace(), name);
1056 free(namespaced_name);
1057 namespaced_name = strbuf_detach(&namespaced_name_buf, NULL);
1058
1059 if (is_ref_checked_out(namespaced_name)) {
1060 switch (deny_current_branch) {
1061 case DENY_IGNORE:
1062 break;
1063 case DENY_WARN:
1064 rp_warning("updating the current branch");
1065 break;
1066 case DENY_REFUSE:
1067 case DENY_UNCONFIGURED:
1068 rp_error("refusing to update checked out branch: %s", name);
1069 if (deny_current_branch == DENY_UNCONFIGURED)
1070 refuse_unconfigured_deny();
1071 return "branch is currently checked out";
1072 case DENY_UPDATE_INSTEAD:
1073 /* pass -- let other checks intervene first */
1074 do_update_worktree = 1;
1075 break;
1076 }
1077 }
1078
1079 if (!is_null_oid(new_oid) && !has_object_file(new_oid)) {
1080 error("unpack should have generated %s, "
1081 "but I can't find it!", oid_to_hex(new_oid));
1082 return "bad pack";
1083 }
1084
1085 if (!is_null_oid(old_oid) && is_null_oid(new_oid)) {
1086 if (deny_deletes && starts_with(name, "refs/heads/")) {
1087 rp_error("denying ref deletion for %s", name);
1088 return "deletion prohibited";
1089 }
1090
1091 if (head_name && !strcmp(namespaced_name, head_name)) {
1092 switch (deny_delete_current) {
1093 case DENY_IGNORE:
1094 break;
1095 case DENY_WARN:
1096 rp_warning("deleting the current branch");
1097 break;
1098 case DENY_REFUSE:
1099 case DENY_UNCONFIGURED:
1100 case DENY_UPDATE_INSTEAD:
1101 if (deny_delete_current == DENY_UNCONFIGURED)
1102 refuse_unconfigured_deny_delete_current();
1103 rp_error("refusing to delete the current branch: %s", name);
1104 return "deletion of the current branch prohibited";
1105 default:
1106 return "Invalid denyDeleteCurrent setting";
1107 }
1108 }
1109 }
1110
1111 if (deny_non_fast_forwards && !is_null_oid(new_oid) &&
1112 !is_null_oid(old_oid) &&
1113 starts_with(name, "refs/heads/")) {
1114 struct object *old_object, *new_object;
1115 struct commit *old_commit, *new_commit;
1116
1117 old_object = parse_object(the_repository, old_oid);
1118 new_object = parse_object(the_repository, new_oid);
1119
1120 if (!old_object || !new_object ||
1121 old_object->type != OBJ_COMMIT ||
1122 new_object->type != OBJ_COMMIT) {
1123 error("bad sha1 objects for %s", name);
1124 return "bad ref";
1125 }
1126 old_commit = (struct commit *)old_object;
1127 new_commit = (struct commit *)new_object;
1128 if (!in_merge_bases(old_commit, new_commit)) {
1129 rp_error("denying non-fast-forward %s"
1130 " (you should pull first)", name);
1131 return "non-fast-forward";
1132 }
1133 }
1134 if (run_update_hook(cmd)) {
1135 rp_error("hook declined to update %s", name);
1136 return "hook declined";
1137 }
1138
1139 if (do_update_worktree) {
1140 ret = update_worktree(new_oid->hash);
1141 if (ret)
1142 return ret;
1143 }
1144
1145 if (is_null_oid(new_oid)) {
1146 struct strbuf err = STRBUF_INIT;
1147 if (!parse_object(the_repository, old_oid)) {
1148 old_oid = NULL;
1149 if (ref_exists(name)) {
1150 rp_warning("Allowing deletion of corrupt ref.");
1151 } else {
1152 rp_warning("Deleting a non-existent ref.");
1153 cmd->did_not_exist = 1;
1154 }
1155 }
1156 if (ref_transaction_delete(transaction,
1157 namespaced_name,
1158 old_oid,
1159 0, "push", &err)) {
1160 rp_error("%s", err.buf);
1161 strbuf_release(&err);
1162 return "failed to delete";
1163 }
1164 strbuf_release(&err);
1165 return NULL; /* good */
1166 }
1167 else {
1168 struct strbuf err = STRBUF_INIT;
1169 if (shallow_update && si->shallow_ref[cmd->index] &&
1170 update_shallow_ref(cmd, si))
1171 return "shallow error";
1172
1173 if (ref_transaction_update(transaction,
1174 namespaced_name,
1175 new_oid, old_oid,
1176 0, "push",
1177 &err)) {
1178 rp_error("%s", err.buf);
1179 strbuf_release(&err);
1180
1181 return "failed to update ref";
1182 }
1183 strbuf_release(&err);
1184
1185 return NULL; /* good */
1186 }
1187 }
1188
1189 static void run_update_post_hook(struct command *commands)
1190 {
1191 struct command *cmd;
1192 struct child_process proc = CHILD_PROCESS_INIT;
1193 const char *hook;
1194
1195 hook = find_hook("post-update");
1196 if (!hook)
1197 return;
1198
1199 for (cmd = commands; cmd; cmd = cmd->next) {
1200 if (cmd->error_string || cmd->did_not_exist)
1201 continue;
1202 if (!proc.args.argc)
1203 argv_array_push(&proc.args, hook);
1204 argv_array_push(&proc.args, cmd->ref_name);
1205 }
1206 if (!proc.args.argc)
1207 return;
1208
1209 proc.no_stdin = 1;
1210 proc.stdout_to_stderr = 1;
1211 proc.err = use_sideband ? -1 : 0;
1212 proc.trace2_hook_name = "post-update";
1213
1214 if (!start_command(&proc)) {
1215 if (use_sideband)
1216 copy_to_sideband(proc.err, -1, NULL);
1217 finish_command(&proc);
1218 }
1219 }
1220
1221 static void check_aliased_update_internal(struct command *cmd,
1222 struct string_list *list,
1223 const char *dst_name, int flag)
1224 {
1225 struct string_list_item *item;
1226 struct command *dst_cmd;
1227
1228 if (!(flag & REF_ISSYMREF))
1229 return;
1230
1231 if (!dst_name) {
1232 rp_error("refusing update to broken symref '%s'", cmd->ref_name);
1233 cmd->skip_update = 1;
1234 cmd->error_string = "broken symref";
1235 return;
1236 }
1237 dst_name = strip_namespace(dst_name);
1238
1239 if ((item = string_list_lookup(list, dst_name)) == NULL)
1240 return;
1241
1242 cmd->skip_update = 1;
1243
1244 dst_cmd = (struct command *) item->util;
1245
1246 if (oideq(&cmd->old_oid, &dst_cmd->old_oid) &&
1247 oideq(&cmd->new_oid, &dst_cmd->new_oid))
1248 return;
1249
1250 dst_cmd->skip_update = 1;
1251
1252 rp_error("refusing inconsistent update between symref '%s' (%s..%s) and"
1253 " its target '%s' (%s..%s)",
1254 cmd->ref_name,
1255 find_unique_abbrev(&cmd->old_oid, DEFAULT_ABBREV),
1256 find_unique_abbrev(&cmd->new_oid, DEFAULT_ABBREV),
1257 dst_cmd->ref_name,
1258 find_unique_abbrev(&dst_cmd->old_oid, DEFAULT_ABBREV),
1259 find_unique_abbrev(&dst_cmd->new_oid, DEFAULT_ABBREV));
1260
1261 cmd->error_string = dst_cmd->error_string =
1262 "inconsistent aliased update";
1263 }
1264
1265 static void check_aliased_update(struct command *cmd, struct string_list *list)
1266 {
1267 struct strbuf buf = STRBUF_INIT;
1268 const char *dst_name;
1269 int flag;
1270
1271 strbuf_addf(&buf, "%s%s", get_git_namespace(), cmd->ref_name);
1272 dst_name = resolve_ref_unsafe(buf.buf, 0, NULL, &flag);
1273 check_aliased_update_internal(cmd, list, dst_name, flag);
1274 strbuf_release(&buf);
1275 }
1276
1277 static void check_aliased_updates(struct command *commands)
1278 {
1279 struct command *cmd;
1280 struct string_list ref_list = STRING_LIST_INIT_NODUP;
1281
1282 for (cmd = commands; cmd; cmd = cmd->next) {
1283 struct string_list_item *item =
1284 string_list_append(&ref_list, cmd->ref_name);
1285 item->util = (void *)cmd;
1286 }
1287 string_list_sort(&ref_list);
1288
1289 for (cmd = commands; cmd; cmd = cmd->next) {
1290 if (!cmd->error_string)
1291 check_aliased_update(cmd, &ref_list);
1292 }
1293
1294 string_list_clear(&ref_list, 0);
1295 }
1296
1297 static int command_singleton_iterator(void *cb_data, struct object_id *oid)
1298 {
1299 struct command **cmd_list = cb_data;
1300 struct command *cmd = *cmd_list;
1301
1302 if (!cmd || is_null_oid(&cmd->new_oid))
1303 return -1; /* end of list */
1304 *cmd_list = NULL; /* this returns only one */
1305 oidcpy(oid, &cmd->new_oid);
1306 return 0;
1307 }
1308
1309 static void set_connectivity_errors(struct command *commands,
1310 struct shallow_info *si)
1311 {
1312 struct command *cmd;
1313
1314 for (cmd = commands; cmd; cmd = cmd->next) {
1315 struct command *singleton = cmd;
1316 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1317
1318 if (shallow_update && si->shallow_ref[cmd->index])
1319 /* to be checked in update_shallow_ref() */
1320 continue;
1321
1322 opt.env = tmp_objdir_env(tmp_objdir);
1323 if (!check_connected(command_singleton_iterator, &singleton,
1324 &opt))
1325 continue;
1326
1327 cmd->error_string = "missing necessary objects";
1328 }
1329 }
1330
1331 struct iterate_data {
1332 struct command *cmds;
1333 struct shallow_info *si;
1334 };
1335
1336 static int iterate_receive_command_list(void *cb_data, struct object_id *oid)
1337 {
1338 struct iterate_data *data = cb_data;
1339 struct command **cmd_list = &data->cmds;
1340 struct command *cmd = *cmd_list;
1341
1342 for (; cmd; cmd = cmd->next) {
1343 if (shallow_update && data->si->shallow_ref[cmd->index])
1344 /* to be checked in update_shallow_ref() */
1345 continue;
1346 if (!is_null_oid(&cmd->new_oid) && !cmd->skip_update) {
1347 oidcpy(oid, &cmd->new_oid);
1348 *cmd_list = cmd->next;
1349 return 0;
1350 }
1351 }
1352 *cmd_list = NULL;
1353 return -1; /* end of list */
1354 }
1355
1356 static void reject_updates_to_hidden(struct command *commands)
1357 {
1358 struct strbuf refname_full = STRBUF_INIT;
1359 size_t prefix_len;
1360 struct command *cmd;
1361
1362 strbuf_addstr(&refname_full, get_git_namespace());
1363 prefix_len = refname_full.len;
1364
1365 for (cmd = commands; cmd; cmd = cmd->next) {
1366 if (cmd->error_string)
1367 continue;
1368
1369 strbuf_setlen(&refname_full, prefix_len);
1370 strbuf_addstr(&refname_full, cmd->ref_name);
1371
1372 if (!ref_is_hidden(cmd->ref_name, refname_full.buf))
1373 continue;
1374 if (is_null_oid(&cmd->new_oid))
1375 cmd->error_string = "deny deleting a hidden ref";
1376 else
1377 cmd->error_string = "deny updating a hidden ref";
1378 }
1379
1380 strbuf_release(&refname_full);
1381 }
1382
1383 static int should_process_cmd(struct command *cmd)
1384 {
1385 return !cmd->error_string && !cmd->skip_update;
1386 }
1387
1388 static void warn_if_skipped_connectivity_check(struct command *commands,
1389 struct shallow_info *si)
1390 {
1391 struct command *cmd;
1392 int checked_connectivity = 1;
1393
1394 for (cmd = commands; cmd; cmd = cmd->next) {
1395 if (should_process_cmd(cmd) && si->shallow_ref[cmd->index]) {
1396 error("BUG: connectivity check has not been run on ref %s",
1397 cmd->ref_name);
1398 checked_connectivity = 0;
1399 }
1400 }
1401 if (!checked_connectivity)
1402 BUG("connectivity check skipped???");
1403 }
1404
1405 static void execute_commands_non_atomic(struct command *commands,
1406 struct shallow_info *si)
1407 {
1408 struct command *cmd;
1409 struct strbuf err = STRBUF_INIT;
1410
1411 for (cmd = commands; cmd; cmd = cmd->next) {
1412 if (!should_process_cmd(cmd))
1413 continue;
1414
1415 transaction = ref_transaction_begin(&err);
1416 if (!transaction) {
1417 rp_error("%s", err.buf);
1418 strbuf_reset(&err);
1419 cmd->error_string = "transaction failed to start";
1420 continue;
1421 }
1422
1423 cmd->error_string = update(cmd, si);
1424
1425 if (!cmd->error_string
1426 && ref_transaction_commit(transaction, &err)) {
1427 rp_error("%s", err.buf);
1428 strbuf_reset(&err);
1429 cmd->error_string = "failed to update ref";
1430 }
1431 ref_transaction_free(transaction);
1432 }
1433 strbuf_release(&err);
1434 }
1435
1436 static void execute_commands_atomic(struct command *commands,
1437 struct shallow_info *si)
1438 {
1439 struct command *cmd;
1440 struct strbuf err = STRBUF_INIT;
1441 const char *reported_error = "atomic push failure";
1442
1443 transaction = ref_transaction_begin(&err);
1444 if (!transaction) {
1445 rp_error("%s", err.buf);
1446 strbuf_reset(&err);
1447 reported_error = "transaction failed to start";
1448 goto failure;
1449 }
1450
1451 for (cmd = commands; cmd; cmd = cmd->next) {
1452 if (!should_process_cmd(cmd))
1453 continue;
1454
1455 cmd->error_string = update(cmd, si);
1456
1457 if (cmd->error_string)
1458 goto failure;
1459 }
1460
1461 if (ref_transaction_commit(transaction, &err)) {
1462 rp_error("%s", err.buf);
1463 reported_error = "atomic transaction failed";
1464 goto failure;
1465 }
1466 goto cleanup;
1467
1468 failure:
1469 for (cmd = commands; cmd; cmd = cmd->next)
1470 if (!cmd->error_string)
1471 cmd->error_string = reported_error;
1472
1473 cleanup:
1474 ref_transaction_free(transaction);
1475 strbuf_release(&err);
1476 }
1477
1478 static void execute_commands(struct command *commands,
1479 const char *unpacker_error,
1480 struct shallow_info *si,
1481 const struct string_list *push_options)
1482 {
1483 struct check_connected_options opt = CHECK_CONNECTED_INIT;
1484 struct command *cmd;
1485 struct iterate_data data;
1486 struct async muxer;
1487 int err_fd = 0;
1488
1489 if (unpacker_error) {
1490 for (cmd = commands; cmd; cmd = cmd->next)
1491 cmd->error_string = "unpacker error";
1492 return;
1493 }
1494
1495 if (use_sideband) {
1496 memset(&muxer, 0, sizeof(muxer));
1497 muxer.proc = copy_to_sideband;
1498 muxer.in = -1;
1499 if (!start_async(&muxer))
1500 err_fd = muxer.in;
1501 /* ...else, continue without relaying sideband */
1502 }
1503
1504 data.cmds = commands;
1505 data.si = si;
1506 opt.err_fd = err_fd;
1507 opt.progress = err_fd && !quiet;
1508 opt.env = tmp_objdir_env(tmp_objdir);
1509 if (check_connected(iterate_receive_command_list, &data, &opt))
1510 set_connectivity_errors(commands, si);
1511
1512 if (use_sideband)
1513 finish_async(&muxer);
1514
1515 reject_updates_to_hidden(commands);
1516
1517 if (run_receive_hook(commands, "pre-receive", 0, push_options)) {
1518 for (cmd = commands; cmd; cmd = cmd->next) {
1519 if (!cmd->error_string)
1520 cmd->error_string = "pre-receive hook declined";
1521 }
1522 return;
1523 }
1524
1525 /*
1526 * Now we'll start writing out refs, which means the objects need
1527 * to be in their final positions so that other processes can see them.
1528 */
1529 if (tmp_objdir_migrate(tmp_objdir) < 0) {
1530 for (cmd = commands; cmd; cmd = cmd->next) {
1531 if (!cmd->error_string)
1532 cmd->error_string = "unable to migrate objects to permanent storage";
1533 }
1534 return;
1535 }
1536 tmp_objdir = NULL;
1537
1538 check_aliased_updates(commands);
1539
1540 free(head_name_to_free);
1541 head_name = head_name_to_free = resolve_refdup("HEAD", 0, NULL, NULL);
1542
1543 if (use_atomic)
1544 execute_commands_atomic(commands, si);
1545 else
1546 execute_commands_non_atomic(commands, si);
1547
1548 if (shallow_update)
1549 warn_if_skipped_connectivity_check(commands, si);
1550 }
1551
1552 static struct command **queue_command(struct command **tail,
1553 const char *line,
1554 int linelen)
1555 {
1556 struct object_id old_oid, new_oid;
1557 struct command *cmd;
1558 const char *refname;
1559 int reflen;
1560 const char *p;
1561
1562 if (parse_oid_hex(line, &old_oid, &p) ||
1563 *p++ != ' ' ||
1564 parse_oid_hex(p, &new_oid, &p) ||
1565 *p++ != ' ')
1566 die("protocol error: expected old/new/ref, got '%s'", line);
1567
1568 refname = p;
1569 reflen = linelen - (p - line);
1570 FLEX_ALLOC_MEM(cmd, ref_name, refname, reflen);
1571 oidcpy(&cmd->old_oid, &old_oid);
1572 oidcpy(&cmd->new_oid, &new_oid);
1573 *tail = cmd;
1574 return &cmd->next;
1575 }
1576
1577 static void queue_commands_from_cert(struct command **tail,
1578 struct strbuf *push_cert)
1579 {
1580 const char *boc, *eoc;
1581
1582 if (*tail)
1583 die("protocol error: got both push certificate and unsigned commands");
1584
1585 boc = strstr(push_cert->buf, "\n\n");
1586 if (!boc)
1587 die("malformed push certificate %.*s", 100, push_cert->buf);
1588 else
1589 boc += 2;
1590 eoc = push_cert->buf + parse_signature(push_cert->buf, push_cert->len);
1591
1592 while (boc < eoc) {
1593 const char *eol = memchr(boc, '\n', eoc - boc);
1594 tail = queue_command(tail, boc, eol ? eol - boc : eoc - boc);
1595 boc = eol ? eol + 1 : eoc;
1596 }
1597 }
1598
1599 static struct command *read_head_info(struct packet_reader *reader,
1600 struct oid_array *shallow)
1601 {
1602 struct command *commands = NULL;
1603 struct command **p = &commands;
1604 for (;;) {
1605 int linelen;
1606
1607 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1608 break;
1609
1610 if (reader->pktlen > 8 && starts_with(reader->line, "shallow ")) {
1611 struct object_id oid;
1612 if (get_oid_hex(reader->line + 8, &oid))
1613 die("protocol error: expected shallow sha, got '%s'",
1614 reader->line + 8);
1615 oid_array_append(shallow, &oid);
1616 continue;
1617 }
1618
1619 linelen = strlen(reader->line);
1620 if (linelen < reader->pktlen) {
1621 const char *feature_list = reader->line + linelen + 1;
1622 if (parse_feature_request(feature_list, "report-status"))
1623 report_status = 1;
1624 if (parse_feature_request(feature_list, "side-band-64k"))
1625 use_sideband = LARGE_PACKET_MAX;
1626 if (parse_feature_request(feature_list, "quiet"))
1627 quiet = 1;
1628 if (advertise_atomic_push
1629 && parse_feature_request(feature_list, "atomic"))
1630 use_atomic = 1;
1631 if (advertise_push_options
1632 && parse_feature_request(feature_list, "push-options"))
1633 use_push_options = 1;
1634 }
1635
1636 if (!strcmp(reader->line, "push-cert")) {
1637 int true_flush = 0;
1638 int saved_options = reader->options;
1639 reader->options &= ~PACKET_READ_CHOMP_NEWLINE;
1640
1641 for (;;) {
1642 packet_reader_read(reader);
1643 if (reader->status == PACKET_READ_FLUSH) {
1644 true_flush = 1;
1645 break;
1646 }
1647 if (reader->status != PACKET_READ_NORMAL) {
1648 die("protocol error: got an unexpected packet");
1649 }
1650 if (!strcmp(reader->line, "push-cert-end\n"))
1651 break; /* end of cert */
1652 strbuf_addstr(&push_cert, reader->line);
1653 }
1654 reader->options = saved_options;
1655
1656 if (true_flush)
1657 break;
1658 continue;
1659 }
1660
1661 p = queue_command(p, reader->line, linelen);
1662 }
1663
1664 if (push_cert.len)
1665 queue_commands_from_cert(p, &push_cert);
1666
1667 return commands;
1668 }
1669
1670 static void read_push_options(struct packet_reader *reader,
1671 struct string_list *options)
1672 {
1673 while (1) {
1674 if (packet_reader_read(reader) != PACKET_READ_NORMAL)
1675 break;
1676
1677 string_list_append(options, reader->line);
1678 }
1679 }
1680
1681 static const char *parse_pack_header(struct pack_header *hdr)
1682 {
1683 switch (read_pack_header(0, hdr)) {
1684 case PH_ERROR_EOF:
1685 return "eof before pack header was fully read";
1686
1687 case PH_ERROR_PACK_SIGNATURE:
1688 return "protocol error (pack signature mismatch detected)";
1689
1690 case PH_ERROR_PROTOCOL:
1691 return "protocol error (pack version unsupported)";
1692
1693 default:
1694 return "unknown error in parse_pack_header";
1695
1696 case 0:
1697 return NULL;
1698 }
1699 }
1700
1701 static const char *pack_lockfile;
1702
1703 static void push_header_arg(struct argv_array *args, struct pack_header *hdr)
1704 {
1705 argv_array_pushf(args, "--pack_header=%"PRIu32",%"PRIu32,
1706 ntohl(hdr->hdr_version), ntohl(hdr->hdr_entries));
1707 }
1708
1709 static const char *unpack(int err_fd, struct shallow_info *si)
1710 {
1711 struct pack_header hdr;
1712 const char *hdr_err;
1713 int status;
1714 struct child_process child = CHILD_PROCESS_INIT;
1715 int fsck_objects = (receive_fsck_objects >= 0
1716 ? receive_fsck_objects
1717 : transfer_fsck_objects >= 0
1718 ? transfer_fsck_objects
1719 : 0);
1720
1721 hdr_err = parse_pack_header(&hdr);
1722 if (hdr_err) {
1723 if (err_fd > 0)
1724 close(err_fd);
1725 return hdr_err;
1726 }
1727
1728 if (si->nr_ours || si->nr_theirs) {
1729 alt_shallow_file = setup_temporary_shallow(si->shallow);
1730 argv_array_push(&child.args, "--shallow-file");
1731 argv_array_push(&child.args, alt_shallow_file);
1732 }
1733
1734 tmp_objdir = tmp_objdir_create();
1735 if (!tmp_objdir) {
1736 if (err_fd > 0)
1737 close(err_fd);
1738 return "unable to create temporary object directory";
1739 }
1740 child.env = tmp_objdir_env(tmp_objdir);
1741
1742 /*
1743 * Normally we just pass the tmp_objdir environment to the child
1744 * processes that do the heavy lifting, but we may need to see these
1745 * objects ourselves to set up shallow information.
1746 */
1747 tmp_objdir_add_as_alternate(tmp_objdir);
1748
1749 if (ntohl(hdr.hdr_entries) < unpack_limit) {
1750 argv_array_push(&child.args, "unpack-objects");
1751 push_header_arg(&child.args, &hdr);
1752 if (quiet)
1753 argv_array_push(&child.args, "-q");
1754 if (fsck_objects)
1755 argv_array_pushf(&child.args, "--strict%s",
1756 fsck_msg_types.buf);
1757 if (max_input_size)
1758 argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1759 (uintmax_t)max_input_size);
1760 child.no_stdout = 1;
1761 child.err = err_fd;
1762 child.git_cmd = 1;
1763 status = run_command(&child);
1764 if (status)
1765 return "unpack-objects abnormal exit";
1766 } else {
1767 char hostname[HOST_NAME_MAX + 1];
1768
1769 argv_array_pushl(&child.args, "index-pack", "--stdin", NULL);
1770 push_header_arg(&child.args, &hdr);
1771
1772 if (xgethostname(hostname, sizeof(hostname)))
1773 xsnprintf(hostname, sizeof(hostname), "localhost");
1774 argv_array_pushf(&child.args,
1775 "--keep=receive-pack %"PRIuMAX" on %s",
1776 (uintmax_t)getpid(),
1777 hostname);
1778
1779 if (!quiet && err_fd)
1780 argv_array_push(&child.args, "--show-resolving-progress");
1781 if (use_sideband)
1782 argv_array_push(&child.args, "--report-end-of-input");
1783 if (fsck_objects)
1784 argv_array_pushf(&child.args, "--strict%s",
1785 fsck_msg_types.buf);
1786 if (!reject_thin)
1787 argv_array_push(&child.args, "--fix-thin");
1788 if (max_input_size)
1789 argv_array_pushf(&child.args, "--max-input-size=%"PRIuMAX,
1790 (uintmax_t)max_input_size);
1791 child.out = -1;
1792 child.err = err_fd;
1793 child.git_cmd = 1;
1794 status = start_command(&child);
1795 if (status)
1796 return "index-pack fork failed";
1797 pack_lockfile = index_pack_lockfile(child.out);
1798 close(child.out);
1799 status = finish_command(&child);
1800 if (status)
1801 return "index-pack abnormal exit";
1802 reprepare_packed_git(the_repository);
1803 }
1804 return NULL;
1805 }
1806
1807 static const char *unpack_with_sideband(struct shallow_info *si)
1808 {
1809 struct async muxer;
1810 const char *ret;
1811
1812 if (!use_sideband)
1813 return unpack(0, si);
1814
1815 use_keepalive = KEEPALIVE_AFTER_NUL;
1816 memset(&muxer, 0, sizeof(muxer));
1817 muxer.proc = copy_to_sideband;
1818 muxer.in = -1;
1819 if (start_async(&muxer))
1820 return NULL;
1821
1822 ret = unpack(muxer.in, si);
1823
1824 finish_async(&muxer);
1825 return ret;
1826 }
1827
1828 static void prepare_shallow_update(struct shallow_info *si)
1829 {
1830 int i, j, k, bitmap_size = DIV_ROUND_UP(si->ref->nr, 32);
1831
1832 ALLOC_ARRAY(si->used_shallow, si->shallow->nr);
1833 assign_shallow_commits_to_refs(si, si->used_shallow, NULL);
1834
1835 si->need_reachability_test =
1836 xcalloc(si->shallow->nr, sizeof(*si->need_reachability_test));
1837 si->reachable =
1838 xcalloc(si->shallow->nr, sizeof(*si->reachable));
1839 si->shallow_ref = xcalloc(si->ref->nr, sizeof(*si->shallow_ref));
1840
1841 for (i = 0; i < si->nr_ours; i++)
1842 si->need_reachability_test[si->ours[i]] = 1;
1843
1844 for (i = 0; i < si->shallow->nr; i++) {
1845 if (!si->used_shallow[i])
1846 continue;
1847 for (j = 0; j < bitmap_size; j++) {
1848 if (!si->used_shallow[i][j])
1849 continue;
1850 si->need_reachability_test[i]++;
1851 for (k = 0; k < 32; k++)
1852 if (si->used_shallow[i][j] & (1U << k))
1853 si->shallow_ref[j * 32 + k]++;
1854 }
1855
1856 /*
1857 * true for those associated with some refs and belong
1858 * in "ours" list aka "step 7 not done yet"
1859 */
1860 si->need_reachability_test[i] =
1861 si->need_reachability_test[i] > 1;
1862 }
1863
1864 /*
1865 * keep hooks happy by forcing a temporary shallow file via
1866 * env variable because we can't add --shallow-file to every
1867 * command. check_connected() will be done with
1868 * true .git/shallow though.
1869 */
1870 setenv(GIT_SHALLOW_FILE_ENVIRONMENT, alt_shallow_file, 1);
1871 }
1872
1873 static void update_shallow_info(struct command *commands,
1874 struct shallow_info *si,
1875 struct oid_array *ref)
1876 {
1877 struct command *cmd;
1878 int *ref_status;
1879 remove_nonexistent_theirs_shallow(si);
1880 if (!si->nr_ours && !si->nr_theirs) {
1881 shallow_update = 0;
1882 return;
1883 }
1884
1885 for (cmd = commands; cmd; cmd = cmd->next) {
1886 if (is_null_oid(&cmd->new_oid))
1887 continue;
1888 oid_array_append(ref, &cmd->new_oid);
1889 cmd->index = ref->nr - 1;
1890 }
1891 si->ref = ref;
1892
1893 if (shallow_update) {
1894 prepare_shallow_update(si);
1895 return;
1896 }
1897
1898 ALLOC_ARRAY(ref_status, ref->nr);
1899 assign_shallow_commits_to_refs(si, NULL, ref_status);
1900 for (cmd = commands; cmd; cmd = cmd->next) {
1901 if (is_null_oid(&cmd->new_oid))
1902 continue;
1903 if (ref_status[cmd->index]) {
1904 cmd->error_string = "shallow update not allowed";
1905 cmd->skip_update = 1;
1906 }
1907 }
1908 free(ref_status);
1909 }
1910
1911 static void report(struct command *commands, const char *unpack_status)
1912 {
1913 struct command *cmd;
1914 struct strbuf buf = STRBUF_INIT;
1915
1916 packet_buf_write(&buf, "unpack %s\n",
1917 unpack_status ? unpack_status : "ok");
1918 for (cmd = commands; cmd; cmd = cmd->next) {
1919 if (!cmd->error_string)
1920 packet_buf_write(&buf, "ok %s\n",
1921 cmd->ref_name);
1922 else
1923 packet_buf_write(&buf, "ng %s %s\n",
1924 cmd->ref_name, cmd->error_string);
1925 }
1926 packet_buf_flush(&buf);
1927
1928 if (use_sideband)
1929 send_sideband(1, 1, buf.buf, buf.len, use_sideband);
1930 else
1931 write_or_die(1, buf.buf, buf.len);
1932 strbuf_release(&buf);
1933 }
1934
1935 static int delete_only(struct command *commands)
1936 {
1937 struct command *cmd;
1938 for (cmd = commands; cmd; cmd = cmd->next) {
1939 if (!is_null_oid(&cmd->new_oid))
1940 return 0;
1941 }
1942 return 1;
1943 }
1944
1945 int cmd_receive_pack(int argc, const char **argv, const char *prefix)
1946 {
1947 int advertise_refs = 0;
1948 struct command *commands;
1949 struct oid_array shallow = OID_ARRAY_INIT;
1950 struct oid_array ref = OID_ARRAY_INIT;
1951 struct shallow_info si;
1952 struct packet_reader reader;
1953
1954 struct option options[] = {
1955 OPT__QUIET(&quiet, N_("quiet")),
1956 OPT_HIDDEN_BOOL(0, "stateless-rpc", &stateless_rpc, NULL),
1957 OPT_HIDDEN_BOOL(0, "advertise-refs", &advertise_refs, NULL),
1958 OPT_HIDDEN_BOOL(0, "reject-thin-pack-for-testing", &reject_thin, NULL),
1959 OPT_END()
1960 };
1961
1962 packet_trace_identity("receive-pack");
1963
1964 argc = parse_options(argc, argv, prefix, options, receive_pack_usage, 0);
1965
1966 if (argc > 1)
1967 usage_msg_opt(_("Too many arguments."), receive_pack_usage, options);
1968 if (argc == 0)
1969 usage_msg_opt(_("You must specify a directory."), receive_pack_usage, options);
1970
1971 service_dir = argv[0];
1972
1973 setup_path();
1974
1975 if (!enter_repo(service_dir, 0))
1976 die("'%s' does not appear to be a git repository", service_dir);
1977
1978 git_config(receive_pack_config, NULL);
1979 if (cert_nonce_seed)
1980 push_cert_nonce = prepare_push_cert_nonce(service_dir, time(NULL));
1981
1982 if (0 <= transfer_unpack_limit)
1983 unpack_limit = transfer_unpack_limit;
1984 else if (0 <= receive_unpack_limit)
1985 unpack_limit = receive_unpack_limit;
1986
1987 switch (determine_protocol_version_server()) {
1988 case protocol_v2:
1989 /*
1990 * push support for protocol v2 has not been implemented yet,
1991 * so ignore the request to use v2 and fallback to using v0.
1992 */
1993 break;
1994 case protocol_v1:
1995 /*
1996 * v1 is just the original protocol with a version string,
1997 * so just fall through after writing the version string.
1998 */
1999 if (advertise_refs || !stateless_rpc)
2000 packet_write_fmt(1, "version 1\n");
2001
2002 /* fallthrough */
2003 case protocol_v0:
2004 break;
2005 case protocol_unknown_version:
2006 BUG("unknown protocol version");
2007 }
2008
2009 if (advertise_refs || !stateless_rpc) {
2010 write_head_info();
2011 }
2012 if (advertise_refs)
2013 return 0;
2014
2015 packet_reader_init(&reader, 0, NULL, 0,
2016 PACKET_READ_CHOMP_NEWLINE |
2017 PACKET_READ_DIE_ON_ERR_PACKET);
2018
2019 if ((commands = read_head_info(&reader, &shallow)) != NULL) {
2020 const char *unpack_status = NULL;
2021 struct string_list push_options = STRING_LIST_INIT_DUP;
2022
2023 if (use_push_options)
2024 read_push_options(&reader, &push_options);
2025 if (!check_cert_push_options(&push_options)) {
2026 struct command *cmd;
2027 for (cmd = commands; cmd; cmd = cmd->next)
2028 cmd->error_string = "inconsistent push options";
2029 }
2030
2031 prepare_shallow_info(&si, &shallow);
2032 if (!si.nr_ours && !si.nr_theirs)
2033 shallow_update = 0;
2034 if (!delete_only(commands)) {
2035 unpack_status = unpack_with_sideband(&si);
2036 update_shallow_info(commands, &si, &ref);
2037 }
2038 use_keepalive = KEEPALIVE_ALWAYS;
2039 execute_commands(commands, unpack_status, &si,
2040 &push_options);
2041 if (pack_lockfile)
2042 unlink_or_warn(pack_lockfile);
2043 if (report_status)
2044 report(commands, unpack_status);
2045 run_receive_hook(commands, "post-receive", 1,
2046 &push_options);
2047 run_update_post_hook(commands);
2048 string_list_clear(&push_options, 0);
2049 if (auto_gc) {
2050 const char *argv_gc_auto[] = {
2051 "gc", "--auto", "--quiet", NULL,
2052 };
2053 struct child_process proc = CHILD_PROCESS_INIT;
2054
2055 proc.no_stdin = 1;
2056 proc.stdout_to_stderr = 1;
2057 proc.err = use_sideband ? -1 : 0;
2058 proc.git_cmd = 1;
2059 proc.argv = argv_gc_auto;
2060
2061 close_object_store(the_repository->objects);
2062 if (!start_command(&proc)) {
2063 if (use_sideband)
2064 copy_to_sideband(proc.err, -1, NULL);
2065 finish_command(&proc);
2066 }
2067 }
2068 if (auto_update_server_info)
2069 update_server_info(0);
2070 clear_shallow_info(&si);
2071 }
2072 if (use_sideband)
2073 packet_flush(1);
2074 oid_array_clear(&shallow);
2075 oid_array_clear(&ref);
2076 free((void *)push_cert_nonce);
2077 return 0;
2078 }
The Best VCS Around